Using both forms and windows authentication together

[Matt Adamson]

Guys,

Does anyone know the best way to implement both windows and forms based
authentication in the same web site?

I'd like intranet based windows user to be able to use single sign on and
not require them to log in so the full windows name including domain name
can be used. However for internet based users they should be required to
enter their credentials.

Any thoughts?

Cheers

Matt

 

[Joe Kaplan]

My new favorite way of implementing this type of architecture is to use
ADFS, as it supports this functionality out of the box. However, I probably
wouldn't suggest setting up ADFS just for this. If you were doing an
internal Web single sign on project across multiple apps or needed to
integrate identities with your external partners, then the extra effort is
easier to justify.

My preferred way of doing this type of thing without ADFS is to have
different URLs (possibly using split DNS to give you the same app name if
you are doing an intranet/extranet thing and have the ability to do split
DNS). With the external URL, use the AD membership provider for forms auth.
Inside, just use Windows auth.

There are ways of having the exact same app support both mechanisms
simultaneously, but aside from ADFS, all of the other implementations I've
seen are somewhat of a hack fest. I'm not a fan.

Joe K.

 

[Matt Adamson]

Thanks Joe

However bit confused

a) What do you mean by "With the external URL, use the AD membership
provider for forms auth.

Inside, just use Windows auth"

b) Why can you not use the same URL to log in, I thought you could access
windows credentials even if forms authentication was enabled for a web site

Cheers

Matt

 

[Joe Kaplan]

Basically, ASP.NET is designed to use forms auth OR Windows auth, but not
both at the same time. Like I said, some people have published hacks that
try to make both work together, but those are hacks. If you do some
searches, you'll probably find some code examples.

The AD Membership provider allows you to do forms auth against AD as the
backend using LDAP to authenticate users instead of Windows security
protocols that are using in IIS when you use Windows auth. As such, the AD
membership provider is usually a good way to implement forms auth against AD
without writing a bunch of custom forms auth code that is likely to be
flakey.

I hope that helps clarify what I was trying to say.

Joe K.

 

[Dominick Baier]

Oh yeah - ADFS is for everyone )

Well - actually i describe two ways of achieving this in my book - maybe
you wanna have a look (see link below)..

 

[Joe Kaplan]

I'm embarassed to admit that I got Dominick's book over the holidays and
have not had time to read it yet.

Joe K.

 

[Matt Adamson]

Thanks Dominick, you've got yourself another sale